(RADIATOR) Feature request: %{Quote:value}, nested and default value string formatting

Robin Breathe rbreathe at brookes.ac.uk
Thu Mar 20 04:46:32 CST 2008 

We're making extensive use of <AuthLog SQL>, but I have concerns about 
escaping the values specified in the Success and Failure Queries. For 
example the following:

SuccessQuery \
   INSERT INTO authlog \
     ("timestamp", "remote", "username", "client_station", \
      "called_station", "nas_ip", "nas_port", "nas_port_type_id", \
      "auth_result") \
   VALUES ('%G', %{Remote}::boolean, %2, \
      '%{OuterRequest:Calling-Station-Id}', \
      '%{OuterRequest:Called-Station-Id}', \
      '%{OuterRequest:NAS-IP-Address}', %{IntegerVal:NAS-Port}, \
      %{IntegerVal:NAS-Port-Type}, TRUE)

What if Called-Station-Id contains an SQL escape attack? (Perhaps this 
sounds silly, but we'll be receiving proxied requests from other 
organisations...).

Ideally, <AuthLog SQL> would either support a syntax similar to <AuthBy 
SQL>'s AuthSelectParam, or there would be a special %{Quote:value} 
syntax so that the above could be replaced by the following:

SuccessQuery \
   INSERT INTO authlog \
     ("timestamp", "remote", "username", "client_station", \
      "called_station", "nas_ip", "nas_port", "nas_port_type_id", \
      "auth_result") \
   VALUES ('%G', %{Remote}::boolean, %{Quote:%{User-Name}}, \
      %{Quote:%{OuterRequest:Calling-Station-Id}}, \
      %{Quote:%{OuterRequest:Called-Station-Id}}, \
      %{Quote:%{OuterRequest:NAS-IP-Address}}, %{IntegerVal:NAS-Port}, \
      %{IntegerVal:NAS-Port-Type}, TRUE)

Also incredibly useful would be the ability to chain the special 
formatters, e.g. %{IntegerVal:OuterRequest:NAS-Port-Type}, as at present 
I have to pass the request through a special <AuthBy Internal> hook in 
order to copy the NAS-Port and NAS-Port-Type attributes from outer to 
inner request
(if this is possible already, and I'm missing something, please let me 
know). Were this implemented, then the %{Quote} syntax might change to 
%{Quote:name}, e.g. %{Quote:OuterRequest:User-Name}.

Finally, the ability to specify defaults would also make life so much 
more pleasant, for example, stealing sh's syntax: 
%{Quote:%{OuterRequest:Called-Station-Id:-'00:00:00:00:00:00'}}

Would anyone else find these features useful?

Hugh: would you consider these to be reasonable feature requests?

Regards,
Robin
-- 
Robin Breathe, Computer Services, Oxford Brookes University, Oxford, UK
rbreathe at brookes.ac.uk       Tel: +44 1865 483685  Fax: +44 1865 483073

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
URL: <http://www.open.com.au/pipermail/radiator/attachments/20080320/d1465eb1/attachment.bin>

More information about the radiator mailing list